On Tue, 15 Nov 2011, Frederic Detienne wrote:
Can you please explain your point about transport mode being bad ? We do not see any problem with it in real world deployments. It is quite the opposite actually.
I meant the kludge where transport mode (host-host) has to deal with NAT-T where the inner IP of the client is used, making it kinda a tunnel mode ( internalip/32-host-host)
I agree that AH is a hindrance, especially that it protects the non-mutable fields of the IP header and therefor prevents NAT and ToS re-marking. I.e. the main difference between AH and ESP_NULL is really this outer IP header protection which is detrimental in most practical networks.
Yes. we've seen cellphone manufacturors that use Linux specifically patching Openswan KLIPS to allow ToS rewriting. Paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec